[Openstack-security] [openstack/glance] SecurityImpact review request change I9236cc85f4e9881ac1aa35d69bc6761a59c1b6c8
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Mon Jan 26 20:04:49 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/80178
Log:
commit 82194e0c422966422f7a4e2157125c7ad8fbc5b5
Author: Fei Long Wang <flwang at catalyst.net.nz>
Date: Thu Jan 22 14:22:09 2015 +1300
Make digest algorithm configurable
It would be great to enhance Glance to use minimum of SHA2
to do digital signature for FIPS compliance. Since in
FIPS(FEDERAL INFORMATION PROCESSING STANDARDS) says the
SHA-1 is not suitable for general-purpose digital signature
applications (as specified in FIPS 186-3) that require 112
bits of security. In the case of digital signatures, SHA-1
does not provide the 112 bits of collision resistance needed
to achieve the security strength.
Now we're using hardcode 'sha1'. So this patch will make it
configurable firstly and set the default value as sha1 in
Kilo for smooth upgrade, which will be changed with sha256
in next release(L).
DocImpact
UpgradeImapact
SecurityImpact
Closes-Bug: #1288545
Change-Id: I9236cc85f4e9881ac1aa35d69bc6761a59c1b6c8
More information about the Openstack-security
mailing list